lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 23 May 2010 14:33:37 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Global Redirect 6.x-1.2 Arbitrary Redirection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I totally effed up on this one.  It has rightfully been pointed out that
this issue was public a *month* ago, and the disclosure was made by
folks totally unrelated to Drupal security.  Completely my bad.
Sincerest apologies to all for my royal fuckup.  I should have checked
the module issue queue before reporting the issue in the first place!

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this e-mail can be verified using
the key at http://www.madirish.net/gpgkey

On 05/23/2010 08:15 AM, Justin C. Klein Keane wrote:
> Details of this vulnerability can also be found at:
> http://www.madirish.net/?article=460
> 
> Description of Vulnerability:
> -----------------------------
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL.  The Drupal Global Redirect module
> (http://drupal.org/project/globalredirect) is designed to address issues
> with path aliases in Drupal that could result in user confusion or
> search engine sandboxing.  Unfortunately the Global Redirect does not
> perform adequate input checking.
> 
> Systems affected:
> -----------------
> Drupal 6.16 with Global Redirect 6.x-1.2 was tested and shown to be
> vulnerable.  According to
> (http://drupal.org/project/usage/globalredirect) some 30,000 sites may
> be affected by this issue.
> 
> Impact
> ------
> Attackers can provide links to target site that actually redirect users
> to third party sites.  Such tactics are common in phishing and other
> trust exploitation attacks.  For instance, attackers could provide a
> link to a legitimate site in an e-mail that when clicked on would take
> the user to an untrusted third party site.
> 
> Mitigating factors:
> -------------------
> In order to execute the proof of concept described below the attacker
> must trick a user into clicking on a link with malicious parameters.
> 
> 
> Proof of Concept:
> -----------------
> Attackers need only provide a link to the target site appended with
> /index.php?q=[target_url].  For instance, if the site in question were
> http://172.16.46.129/drupal-6.16, the following link would redirect the
> user to the Google.com homepage:
> 
> http://172.16.46.129/drupal-6.16/index.php?q=http://www.google.com
> 
> Technical Discussion:
> ---------------------
> The drupal_goto function
> (http://api.drupal.org/api/function/drupal_goto) normally restricts
> redirects to local links utilizing a check on lines 323-327 in
> includes/common.inc.  However, the Global Redirect module does not
> perform any such checking.  If a redirect request is detected in the
> form of a URL get parameter of 'q' when calling the index page the
> Global Redirect module forwards the request to the parameter value.
> 
> Vendor Response:
> ----------------
> In an uncoordinated disclosure, Drupal security decided to handle this
> issue publicly at http://drupal.org/node/768244.
> 
> Patch:
> ------
> Applying the following patch mitigates this vulnerability:
> --- globalredirect/globalredirect.module        2008-12-22
> 05:34:32.000000000 -0500
> +++ globalredirect.fixed/globalredirect.module  2010-05-21
> 15:26:08.497695637 -0400
> @@ -146,7 +146,12 @@ function globalredirect_init() {
>      if ($_REQUEST['q'] != $prefix . $alias) {
>        // If it's not just a slash or user has deslash on, redirect
>        if (str_replace($prefix . $alias, '', $_REQUEST['q']) != '/' ||
> $redirect_slash) {
> -        drupal_goto($alias, $query_string, NULL, 301);
> +        // Do not redirect to an absolute URL originating from user input.
> +               $colonpos = strpos($request, ':');
> +               $absolute = ($colonpos !== FALSE &&
> !preg_match('![/?#]!', substr($request, 0, $colonpos)));
> +               if (!$absolute) {
> +                       drupal_goto($request, $query_string, NULL, 301);
> +               }
>        }
>      }

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkv5dQEACgkQkSlsbLsN1gAFfAb+MghsWPqsmAmU5Ac+U99OT+zV
DjE/aM4A9OPHfjrgA4sn8NkG6rHX03JGb9wIKAzM//2B08zyj7C/v/1SnFMZibrp
hKVhRKMxJMAA9kV8W0EvF6xnCeQc8jnKVZ2LC9tLlXYdpvF/P0Uq144w/Bi5URpW
Qh3JNdfbFUHmguXE3K266yOhnckMGw5vKgANkv6i5KXdsNPGGrz6pM5e/XKHheUT
+ybLGxGRIVkggRGZ9KAjkbUY1Pda0QNN/DmIKLh/bccDSaZAIbtX5o7s1usuPvdn
NE2O9Dmf9KrzkefuWIo=
=u2Xe
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists